Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 59d95b241a02fbef…

MALICIOUS

RTF / .DOC

81.9 KB
MD5: 9f63ee5ef179cfcf56619e1c9d44447a SHA-1: 6c9efbc2d4a76e25d826f85b7f0d27906cade93a SHA-256: 59d95b241a02fbef4d098fe7ff3ce6a5b97e638661429702744436c90c3047fa
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The RTF document contains OLE object data and an \objupdate directive, which are strong indicators of malicious intent. The \objupdate heuristic specifically points to the activation of embedded OLE objects, a common technique for delivering and executing malware. While no specific family is identified, the method strongly suggests a malicious attachment designed to exploit OLE vulnerabilities.

Heuristics 2

  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000017d5.bin
fe1a2f6a032d5e80da3d1842daa7bae1f41415c31e32ab174bccab76c63cd644		 rtf-objdata-decoded RTF \objdata at offset 0x17D5 1728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.